diff --git a/.gitignore b/.gitignore
index 8e98e2f..a837ec5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 # Backup files, redundant with git history
-/gpg/*~
+/gpg*/*~
+/gpg*/S.*
 
 # TOFU trust database (unused; see https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html)
-/gpg/tofu.db
+/gpg*/tofu.db
diff --git a/README.md b/README.md
index 7042cf8..8719882 100644
--- a/README.md
+++ b/README.md
@@ -61,11 +61,15 @@ Other keys used to sign some previous releases:
 
 ## Verifying Release Packages
 
-This repo contains the raw release signing keys in two forms:
+This repo contains the raw release signing keys in three forms:
 
- 1. The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
+- The **keys/** directory contains the raw ASCII-armored release signing keys listed above.
 
- 2. The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
+- The **gpg/** directory contains a GPG keyring preloaded with these release signing keys.
+
+- The **gpg-only-active-keys/** directory contains a GPG keyring preloaded with
+  the active release signing keys. Use this if you only need to verify
+  signatures of "future" releases.
 
 For additional verification of both the keys' content *and* of the list of authorized signing
 keys, you may cross-reference the list with [nodejs.org](https://nodejs.org) and attempt to
diff --git a/cli.sh b/cli.sh
index dd5843c..b314a10 100755
--- a/cli.sh
+++ b/cli.sh
@@ -55,6 +55,7 @@ nodejs_keys_add() {
   gpg --export --armor "${KEY_ID}" > "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   GNUPGHOME="${CLI_DIR}/gpg" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
+  GNUPGHOME="${CLI_DIR}/gpg-only-active-keys" gpg --import "${CLI_DIR}/keys/${KEY_ID}.asc"
 
   printf "keys.list <- "
   if grep --quiet "${KEY_ID}" "${CLI_DIR}/keys.list"; then
diff --git a/gpg-only-active-keys/pubring.kbx b/gpg-only-active-keys/pubring.kbx
new file mode 100644
index 0000000..7573ced
Binary files /dev/null and b/gpg-only-active-keys/pubring.kbx differ
diff --git a/gpg-only-active-keys/trustdb.gpg b/gpg-only-active-keys/trustdb.gpg
new file mode 100644
index 0000000..5dc9858
Binary files /dev/null and b/gpg-only-active-keys/trustdb.gpg differ